Paul Proctor

A member of the Gartner Blog Network

Paul Proctor
VP Distinguished Analyst
10 years at Gartner
28 years IT Industry

Paul Proctor is a vice president, distinguished analyst, and the chief of research for security and risk management. He helps organizations build mature risk and security programs that are aligned with business need. Read Full Bio

Coverage Areas:

Resetting the Definition of IT-GRC at Gartner

by Paul Proctor  |  May 15, 2013  |  1 Comment

IT-GRC is essentially enterprise GRC functions (workflow, data repository, regulatory mapping, etc) focused on IT specific needs. The only reason we have IT-GRC is because, traditionally, the original GRC vendors were focused on addressing SOX and other global financial integrity regulations and were terrible at IT requirements. That gap is closing however.

For the last two years, IT-GRC has started to bifurcate into IT-related GRC functions and security operations functions. These market changes have caused us to reset Gartner’s use of the term IT GRC to provide useful guidance to our clients in selecting appropriate technologies for their requirements.

GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have. See my previous post Why I Hate the Term GRC.

In 2013, there is little evidence that security technology data is being used in any material or comprehensive manner to directly support senior IT and business leadership in decision making. However, there is an important evolution in the prioritization and remediation of vulnerability and security configuration management data using business context that is changing vulnerability management and other security operations use cases. This evolution will be covered separately from IT GRC technologies.

Gartner experience on client and reference calls has indicated that IT GRC needs fall roughly in two areas. The first supports oversight and governance functions that typically bridge IT information to support IT and business leadership for reporting and decision making. This is present in use cases such as vendor risk management, policy management, integrated risk reporting and risk assessment. The second supports information security operations requirements through the centralization of security technology data. This is present in use cases such as vulnerability management, continuous monitoring and the management of technology-centric compliance requirements such as Payment Card Industry Data Security Standard (PCI DSS).

Consider a metaphor where a horizontal line is used to separate IT from non-IT business needs (see figure below). The first area can be described as "above the line," and the second area can be described as "below the line"

130515 IT GRC picture

Using patch management as an example, the operations functions that monitor patch states, prioritize and guide remediation are all within the first line of defense. They are considered below the line and not within the definition of IT GRC. The governance functions that use patch information to rate business units on patching effectiveness to guide risk-related decision making are part of the second line of defense. They are above the line and considered to be a part of core IT GRC activity.

IT GRC technologies and providers for above-the-line use cases will be published in the latest MarketScope for IT GRC. Below-the-line requirements will be addressed, in part, as an extension of vulnerability management. There is no hard definition for below-the-line use cases that have been excluded from IT GRC because this is an evolving set of solutions that include traditional IT GRC vendors and vulnerability management vendors.

Our new definition of IT-GRC

IT GRC technologies are used primarily to bridge IT-related data in support of senior IT and non-IT decision making. This is composed of functions for mapping controls into control objectives, survey capabilities, workflow to support non-IT decision making, and non-IT executive reporting.

The use cases for security operations will no longer be referenced as IT GRC at Gartner and will be considered an extension of vulnerability management research for the benefit of IT operations. This is composed of functions for the import of technical data from third-party products, workflow to support prioritization and IT remediation activities, and an IT asset database supporting IT decision making.

IT GRC is composed of functions to support non-IT decision making and non-IT executive reporting:

  • Controls and policy mapping.
  • Survey capabilities.
  • GRC asset repository.
  • Workflow.
  • IT risk evaluation and dashboards.

The functions supporting data import from third-party security tools, such as vulnerability assessment and security configuration management, remain a part of IT GRC. However, these functions are primarily used in support of the below-the-line security technology use cases.

These changes seem to have everyone in a tizzy. But here’s the bottom line: Security operations is security operations. Gartner is not going to call that IT GRC. So there.

Follow me on Twitter (@peproctor)

1 Comment »

Category: Uncategorized     Tags:

1 response so far ↓

  • 1 Dorian Cougias, Compliance Scientist   May 22, 2013 at 1:02 pm

    Academic question to clarify what you wrote. You state:

    “IT GRC technologies are used primarily to bridge IT-related data in support of senior IT and non-IT decision making. This is composed of functions for mapping controls into control objectives, survey capabilities, workflow to support non-IT decision making, and non-IT executive reporting.”

    And later:

    “IT GRC technologies and providers for above-the-line use cases will be published in the latest MarketScope for IT GRC. Below-the-line requirements will be addressed, in part, as an extension of vulnerability management.”

    And finally, that IT GRC tools must support:

    “Controls and policy mapping
    Survey capabilities

    IT risk evaluation and dashboards”

    Q: You didn’t specifically spell out communicating with SIEM and SCM products as part of the function (and other tools as might arise in the future). Is that to be interpreted as a given?

    The reason I ask this is because an IT GRC tool can’t map controls or “survey” the organization’s following of controls for IT GRC if the IT GRC tool can’t gather that information from below-the-line tools.

    Here’s an example of an audit question that maps to a harmonized control (bullet 1 on your list) as well as would affect the risk dashboard (bullet 5 on your list):

    PCI DS Section 4.3.5.5.6 asks the organization to examine the setting “file contents” of the configurable item The Startup Configuration File of Network Access and Control Points. The SCM tool must verify they are the same as and synchronized between devices as evidenced in the sample of Startup Configuration Files.

    This requires the IT GRC tool to have bullets 1, 2, and 3 working in conjunction with the ability to communicate “below-the-line” with an SCM tool to gather the information to then report back and create the dashboard (bullet 5).

    Because if the GRC tools don’t have that capability, then they aren’t fit for IT GRC tools, because this is the governance of Information Technology.

    So, in a nutshell, what you are saying is that IT GRC tools are those with the capability of doing bullets 1 through 5 *as long as they have the ability to communicate and share data with security operations tools below-the-line*.

    Yes?